Stronger wscript.exe rules possible?

I have several Scriptfiles, which I run daily. The really first time, I run a script, CIS asks my to allow explorer.exe to run wscript.exe, after that, each other script gives no alarm, because wscript.exe stands in the security rules and I find, this is a security hole, because from now, every script can run on my PC without asking!

My whish: I want put in the security rules from expolorer.exe or wscript.exe the names of my script files and every other script must ask again.

I tried to put the complete call for a script (like wscript.exe c:\programs\test.vbs) in the explorer.exe rules, but this doesen’t help.

I tried to put *.vbs in “My protected files”, but no ask for first running scripts.

Is there an option, i do not see, or is this really a security hole?

Something you could try is to create your own Defence+ policy in pre-defined security policies, make sure every setting is set to Ask then give that policy to wscript.exe


You may need to be in Paranoid mode for it to work, otherwise the white list/Trusted vendors may come into play!

Ehat you said doesn’t work Matty.

Wscript.exe is an untrusted app.
And it doesn’t help to set a predefined policy to wscript.exe.
I treid much, but doesn*'t get CIS work like it should.
Image execution control hasn’t help. I put *.vbs into.
Have put *.vbs in block list of the start programm list from wscript.exe.
Nothing has helped at all.